Sun Microsystems 10

Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009

5.2.7.4. Zones in separate networks using the s hared IP instance

[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide se rvices

for other networks.

−Each local zone should have its own physical interface in the network.

−Additional networks are connected to the network segment.

−Routing is used.

−There should be no communication between the local zones.

−Communication between the global zone and the local zones is not intended.

Implementation:

•The network interface intended for the local zone (e.g. bge1) must not be used

elsewhere in the global zone.

•To prepare for local zones, the interface for a local zone must be plumbed (but not

enabled):

ifconfig bge1 plumb down

Thereby, the interface gets the address 0.0.0.0 but is not active.

•The network configuration of the zones is established by setting the zones to the ready

status.

zoneadm -z zone1 ready

zoneadm -z zone2 ready

The addresses listed in the configuration (zone1: 192.168.201.1 and zone2:

192.168.202.1) are now active.

•The routes of the local zones are specified with zonecfg:set defrouter.

set defrouter=192.168.201.2

set defrouter=192.168.202.2

•In order to avoid communication between the local zones through the shared TCP/IP

stack, reject routes must be set in the global zone that prevent communication between

two IP addresses (or the use of ipfilter).

route add 192.168.201.1 192.168.202.1 -interface -reject

route add 192.168.202.1 192.168.201.1 -interface -reject

Alternatively the interzone loopback can be restricted:

ndd -set /dev/ip ip_restrict_interzone_loopback 1

•The zones can now be booted for operation:

zoneadm -z zone1 boot

zoneadm -z zone2 boot

•Option: To allow communication between the global and the local zone, an interface

which is located in the logical network of the local zone must be conf igured in the global

zone.

Figure 34: [dd] Zones in separate networks using the shared IP instance

192.168.201.0

Network

bge0 - 192.168.1.1

bge1 - 0.0.0.0

bge2 - 0.0.0.0

reject route 192.168.201.1 192.168.202.1

Global Zone

bge2:2 - 192.168.202.1

Def router - 192.168.202.2

Zone 2

bge1:1 - 192.168.201.1

Def router - 192.168.201.2

Zone 1

192.168.1.0

Network

192.168.202.0

Network